Magecart campaigns are exploiting client-side obfuscation to load skimmers during checkout, using Hunter to conceal JavaScript code and inject malicious forms. The techniques culminate in encoded credit card data stored in a cookie and exfiltrated via POST, all hosted on a shared infrastructure. #Hunter #Magecart #Magento #Porkbun
Keypoints
- The attack injects code inside the site’s source that calls out a remote URL which loads the skimmer during checkout.
- The obfuscated payload is produced with Hunter (a PHP/JavaScript obfuscator) and decoded via eval to reveal instructions.
- At checkout, additional fields are inserted into the form to capture credit card data, with some fields placed between the shopper’s email and name.
- Captured card data is encoded, stored in a cookie, and then exfiltrated via a POST request.
- The skimmer infrastructure is hosted on a single server (193.201.9.116) with many associated domains registered to Porkbun.
MITRE Techniques
- [T1059.007] JavaScript – The attack loads the skimmer via remote JavaScript and uses eval to process dynamic strings. ‘The ‘eval’ portion of the code is a clear giveaway that the random looking string is being processed dynamically to return some instructions.’
- [T1189] Drive-by Compromise – Initial code injected into the website’s source calls out a remote URL that loads the skimmer during checkout. ‘The attack relies on 2 steps: the first one is code injected inside the website’s source that calls out a remote URL.’
- [T1027] Obfuscated/Compressed Files and Information – The Hunter obfuscator is used to hide the payload; ‘The Hunter obfuscator is handy but quite easy to reverse and as such provides minimal stealth capabilities.’
- [T1056.003] Web Form – Additional fields are injected into the checkout form to capture card data. ‘additional fields injected in the contact form’ and ‘the shopper’s email address and name.’
- [T1132] Data Encoding – Credit card data is encoded before exfiltration. ‘The credit card data to be stolen is encoded, then stored inside a cookie…’
- [T1041] Exfiltration Over C2 Channel – Encoded data is exfiltrated via a POST request. ‘and subsequently exfiltrated via a POST request.’
- [T1562.001] Impair Defenses – The use of anti-debugging routines to hinder analysis. ‘anti-debugging routines.’
Indicators of Compromise
- [IP Address] Infrastructure host for the Magecart skimmer – 193.201.9.116
- [Domain] Skimmer domains – 1537la.buzz, 1537li.buzz, 1537lx.buzz, 1568la.buzz, 1568li.buzz, 1568lx.buzz, 1599la.buzz, 1599li.buzz, 1599lx.buzz, 1599lz.buzz, appcloud1.buzz, appcloud19.buzz, appcloud2.buzz, appcloud20.buzz, appcloud3.buzz, appcloud5.buzz, araboxtv.sbs, blindsmax.sbs, bubapeq.quest, dev-extension.cloud, dev-extension.one, dev-extension.us, hedeya.sbs, inspirefitness.sbs, motherearthlabs.sbs, nasaservers.sbs, newarriwal.quest, paramountchemicals.sbs, peqart.sbs, remediadigital.sbs, roboshop.sbs, schmerzfrei-shop.sbs, swsgswsg.sbs, thecornerstoreau.sbs, ultracoolfl.sbs
Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer